Microsoft has finally repaired the security flaw that led to a public spat with Google last week.
In a security bulletin issued today, Microsoft revealed that it had fixed a “critical” flaw that was being actively exploited by hackers.
“This security update resolves vulnerabilities in Microsoft Windows,” reads the bulletin. “The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.”
The issue first came to public attention after Google revealed it had uncovered the flaw on October 31. Google actually warned Microsoft about the flaw privately, telling the software giant that it knew the exploit was being used by nefarious parties. In a blog post, Neel Mehta and Billy Leonard, of Google’s Threat Analysis Group, wrote:
“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released.
It continued: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.”
Then, in a statement to VentureBeat, Microsoft revealed that it wasn’t happy with how Google handled the situation:
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
On November 1, Microsoft Windows and Devices boss Terry Myerson acknowledged that Microsoft had recently detected a “low-volume speaker phishing campaign” from an “activity” group it called STRONTIUM – though the group is widely known as ‘Fancy Bear’. The group, which Microsoft blamed for exploiting the flaw, has previously been linked to the Russian government, and is accused of being behind the recent US election hacks.
In a blog post, Myerson wrote: “STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organisations, as well as affiliated private sector organisations such as defence contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016.”
Related: Best Laptops 2016
Watch: Laptop Buyer’s Guide
What do you think of Google’s approach to the flaw? Let us know in the comments.
Sign up for the newsletter
Get news, competitions and special offers direct to your inbox